Midyear Security and Privacy Check – In

2016 and the beginning of 2017 was an incredible year for the cybercriminal. It has brought the hacker untold millions on the back of ransomware attacks across all industry sectors. 2016 saw cybercriminals become cleverer in how they approached an attack, building threats on the back of online ads and videos - the first half of 2016 seeing an increase of 400% in ‘bad ads’ also known as malvertising. As well as cybersecurity threats to the integrity and availability of our data, the privacy of these data has also taken a hit in 2016. Data breaches in healthcare have continued to blight our Protected Health Information (PHI) despite HIPAA regulations. At the time of writing, according to the U.S. Department of Health and Human Services Office for Civil Rights, there were 304 data compromises of PHI in 2016; the largest breach being at Banner Health with just over 3.6 million records.

Cyber security threats have been increasing, year on year, since 2010. It is big business, making the perpetrators a good living. But will we see any let up from the onslaught of data breaches the rest of 2017, or are we likely to continue to have, ‘business as usual’ for the cybercriminal?

More drone based privacy issues

“All I want for Christmas is a drone” is being heard across the country this year. It is expected that there will be 1.2 million drones given out as Christmas presents this year. The Federal Aviation Administration are calling for anyone who owns a drone to register as such. Drones are held to certain privacy regulations already. Many states have an ‘intrusion upon seclusion’ tort, to manage the potential use of drones to spy on others. However, policing this with the numbers of drones being used by the general public, will be a challenge in 2017. We may well see, with the popularity of drone ownership, new, more enforceable, federal laws, come to light, overtaking the current mosaic of cross state laws that are trying to manage this new phenomenon.

More government surveillance

The US government is about to change hands and president-elect, Trump, has already intimated that he will increase surveillance for national security purposes at the expense of privacy. One such action is the concept of a ‘muslim database’ extensible to cover anyone that doesn’t fit into a certain world view. The tech industry has responded to this with a campaign headed under the website ‘nevergain.tech’ which has collected the signatures of engineers, designers, and business executives, who each have pledged not to perform any duties associated with creating such a database, which would be based on “constitutionally-protected religious beliefs”.

Also, watch out in the coming months for a release of information about the numbers of US citizens that have been surveilled as part of the surveillance authority, section 702. Section 702, although brought in for foreign intelligence purposes, has, perhaps unwittingly, ended up invading the privacy of our own citizens.

More ad surveillance and tracking

Online marketing is now overtaking TV advertising with an expected spend in 2017 of around $75 billion according to a PWC report. The lifeblood of marketing is data; marketing analysis based on these data being vital to effective campaigns. As the move to online, targeted marketing becomes ever greater we should expect more of our data to be tracked and collated. The privacy issues with this are obvious, and data protection and privacy expectations of online marketing will likely become even more apparent in 2017. Hopefully, marketing consent directives like the European Commission's General Data Protection Regulation (GDPR) will be adopted on a global stage and encourage the consent aspect of sharing our data for marketing purposes.

Internet of Things (IoT)

As more of us incorporate smart devices into our homes, eavesdropping will become a real concern in terms of privacy. Consumer IoT devices can be used by both manufacturers and hackers to essentially watch our day to day lives if the transmission of the data generated by such devices is not properly protected. Similarly, smart cars could give details of our whereabouts. The security of IoT devices has been in question this last year, with examples of devices being easily hackable, and potentially controlled by third parties, because of poorly applied access control measures. In 2017, unless simple security issues like hardcoded administration access are addressed, we can expect compromised privacy across consumer IoT devices.

Cyber Security

Ransomware has had an incredible year in 2016. The malware that encrypts your files with no mercy, then demands a fee to decrypt them, has netted around $209 million for the perpetrators in the last year. With such a lucrative business method, new models are being explored and Ransomware as a Service (RaaS) is one of them. RaaS is a great method for opening up the world of malware infection to those of us who can’t create their own malware programs, or who don’t understand how to distribute them. With RaaS models, hackers use anonymous services, like Tor, to host their files and distribution tools. They then allow others to rent the ransomware service, giving them a cut of takings as payment for that rental. Payment, of course, is fully automated, the costs being taken at the point of payment by the infected organization. With RaaS being a successful model of distribution, we should expect to see more ransomware attacks using this mode of infection.

The ransomware chain letter

Another movement in the ransomware field is in the form of a type of chain letter. In the past, before we had email and social media, we had chain letters. They were a scourge of the mid-twentieth century. You would receive a letter, often purporting to attach a curse of some sort to the reader unless they forwarded the letter to a number of others in a certain time. Now ransomware creators are using this age-old technique to make more money. In this modern version of the chain letter, a person becomes infected with a form of ransomware known as ‘Popcorn Time’. The infected person is then given a choice: either pay 1 bitcoin to have your files decrypted, or send a Tor link to two others, who will then become infected if they click on the link. If the two others pay the ransom, then the originator will get a decryption key for free. Nasty in the extreme, but as a business model it looks to be highly effective. This means that 2017 may well become the year of the ransomware chain mail letter.

IoT based attacks like the DDoS

2016 saw the largest and widest scale Distributed Denial of Service (DDoS) attacks ever. Services like Twitter, Spotify, and Airbnb were floored by an IoT initiated DDoS bot. It is highly likely that even larger scale and longer lasting DDoS attacks will be perpetrated in 2017, as more and more Internet enabled devices, like Amazon Echo, are taken into our homes.

Cyberterrorism

To date, there have been fewer cyberterrorism attacks than you’d expect from a world that is in turmoil. However, this can’t last and 2017 may well be the year of the cyberterrorist. There seems to be a perfect storm brewing. A combination of world events and technology enhancements like IoT, that will give the cyberterrorist both the motive and the weapon to carry out such attacks. One of the prescriptive of such an attack is the Internet enablement of industry or Industry 4.0., as it has become known. Industrial systems such as supervisory control and data acquisition (SCADA) have been long predicted to be vulnerable to terrorist attacks and have seen some attacks. However, 2017 may be the year this prediction comes true on a mass scale. The energy market, in particular, is embracing the use of the IoT with an expected CAGR of over 24% in the next five years. The increase in Internet connection of industrial devices is opening up the door to cyberterrorism attacks, and 2017 may be the year we see our critical infrastructures attacked.

Will the rest of 2017 Be All Bad?

As the cybercriminals advance their techniques, building new business models, and finding vulnerabilities in our new technologies, we also need to go on the attack. The Roman republic, which reigned for over 500 years, was successful because of the fluidity in their approach to the enemy. The Romans had a flexible pattern of attack and adapted to each new threat. New methods of approach to cyber security and privacy, such as machine learning, solid regulations, and appropriate technology, will help us to adapt to the ever-changing threat landscape, protecting our data and ourselves in 2017.

About the Author

Avani Desai the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.